[apparmor] 2.5.1 build failure on Arch

[andrew thomas]

On 10/19/2010 12:31 PM, John Johansen wrote:
> On 10/19/2010 09:50 AM, andrew thomas wrote:
>    
>>   On 10/18/2010 11:49 AM, John Johansen wrote:
>>      
>>> On 10/15/2010 09:48 PM, andrew thomas wrote:
>>>        
>>>> I am trying to build 2.5.1 on Arch Linux and am getting an error similar to this build:
>>>>
>>>> http://launchpadlibrarian.net/57686487/buildlog_ubuntu-natty-amd64.apparmor_2.5.1-0ubuntu1_FAILEDTOBUILD.txt.gz
>>>>
>>>> It gets through autogen, configure, and make in libapparmor.
>>>>
>>>> Then make in utils, but fails make in parser.
>>>>
>>>> Here is the tail end from
>>>>
>>>> $ cd parser&&    /usr/bin/make
>>>>
>>>> http://pastebin.ubuntu.com/514290/
>>>>
>>>> The error message does state that: Kernel needs AppArmor 2.4 compatibility patch.
>>>>
>>>> But, I believe that I applied the proper patches to the kernel.
>>>>
>>>> Any ideas?
>>>>
>>>>          
>>> Hey Andrew it actually built but is failing during the caching function tests.  These are run against the current kernel, and it isn't finding the AppArmor 2.4 interface.
>>>
>>> You can test for your self by looking for the file /sys/kernel/security/apparmor/profiles if it doesn't exist you don't have the AppArmor 2.4 compatibility patch on your kernel.
>>>
>>> The patch isn't actually necessary but several things will not work if it is not present.  The parser won't do compiled policy caching, the init scripts won't work, and aa-status and a few other commands won't work either.
>>> Basically anything that requires introspection of the load policy or supported kernel features doesn't work correctly.  Every thing else should.
>>>
>>> If you are building 2.5.1 on a buildd with a kernel that doesn't support the AppArmor 2.4 interface, then I suggest you disable the test in the Makefile with a small patch.
>>>
>>>
>>>        
>> I did look in /sys/kernel/security and it is empty.
>>      
> This says to me that the LSM is probably not configured correctly.
>
>    
>> When I compiled the kernel, I applied these two patches ( http://pastebin.ubuntu.com/515768/&  http://pastebin.ubuntu.com/515769/  ) that originally were ubuntu-maverick.git-0d8f737f1c8ad8415b3d5589caf63dee3c1b3d6f.patch&  ubuntu-maverick.git-8cb3e0f8ad669be1e2027cbafb58fa7cd1928f76.patch which  I  modified so they also created security/apparmor/include/net.h&  security/apparmor/net.c and would apply cleanly. When I use this on natty to compile the kernel, apparmor (2.5.1~rc1) works as expected, but when I compile on ArchLinux, using the natty-git source, /sys/kernel/security is empty.  Any clues to what I am doing wrong? Trying to get apparmor to work on arch may be beyond my abilities, I am sorry if I am wasting your time.
>>
>>      
> What config options do you have set under security?  These will affect whether AppArmor is compiled and whether it is the default LSM.  Since there can only be a single lsm active at a time another LSM can block apparmor.
>
> specifically you need
> SECURITY_APPARMOR=y
>
> in make menuconfig this will look like
> y AppArmor
>
>
> You probably want to set
> SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>
> in menuconfig it is "AppArmor boot parameter default value"
>
> this tells the apparmor module to register it self by default at boot, if it is 0 you must specify apparmor=1 on the kernel command line for apparmor to take effect even if apparmor is set as the default security module.
>
>
> The other config options that can affect apparmor are
> SECURITY=y        menuconfig "y Enable different security models"
> SECURITYFS=y      menuconfig "y Enable the securityfs filesystem"
> SECURITY_NETWORK=y menuconfig "y Socket and Networking Security Hooks"
> SECURITY_PATH=y   menuconfig "y Security hooks for pathname based access control"
>
> DEFAULT_SECURITY=apparmor  menuconfig "Default security module"
> this one is not required and can be overriden on the kernel command line,
> so if apparmor is not the default lsm you would use
>
> security=apparmor
>
>
> If this doesn't work, can you attach your config and point me at a tree so
> I can build and test the kernel, and figure out what is wrong
>
> cheers
> john
>    
Thanks for your reply John,
The weird thing is that I am using the same .config file to build my 
kernels on ubuntu, debian & arch and apparmor works just fine on the 
first two.  Here is the security section.

    #
    # Security options
    #
    CONFIG_KEYS=y
    # CONFIG_KEYS_DEBUG_PROC_KEYS is not set
    CONFIG_SECURITY=y
    CONFIG_SECURITYFS=y
    CONFIG_SECURITY_NETWORK=y
    # CONFIG_SECURITY_NETWORK_XFRM is not set
    CONFIG_SECURITY_PATH=y
    # CONFIG_SECURITY_SELINUX is not set
    # CONFIG_SECURITY_SMACK is not set
    # CONFIG_SECURITY_TOMOYO is not set
    CONFIG_SECURITY_APPARMOR=y
    CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
    CONFIG_SECURITY_APPARMOR_COMPAT_24=y
    # CONFIG_SECURITY_YAMA is not set
    # CONFIG_IMA is not set
    CONFIG_DEFAULT_SECURITY_APPARMOR=y
    # CONFIG_DEFAULT_SECURITY_DAC is not set
    CONFIG_DEFAULT_SECURITY="apparmor"
    CONFIG_CRYPTO=y

I am getting the source from 
git://kernel.ubuntu.com/ubuntu/ubuntu-natty.git  and

    patch -p1 -R < ../apparmorB.patch
    patch -p1 -R < ../apparmorA.patch
    git fetch
    git reset --hard origin/master
    patch -p1 < ../apparmorA.patch
    patch -p1 < ../apparmorB.patch

removing and reapplying the patches when I update because they rebase 
against Linus' tree. The two patches are the patches that I posted on 
pastebin in my last post.  What could be different about Arch that would 
make the kernels not work right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/apparmor/attachments/20101019/884ce712/attachment-0001.htm 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: config.saved.x86_64
Url: https://lists.ubuntu.com/archives/apparmor/attachments/20101019/884ce712/attachment-0001.txt